News Now

CU System

Heartland tests new encryption

PRINCETON, N.J. (7/2/09)--Heartland Payment Systems, one of the nation’s largest payments processors, successfully completed the first phase of its end-to-end encryption pilot project Monday in response to last year’s data breach. The company announced in January that its processing system was breached last year, compromising millions of credit cards and affecting credit unions and their members nationwide. Credit unions in Alabama, California, Florida, Louisiana and Texas have joined in class action lawsuits seeking damages related to the Heartland breach (News Now Jan. 21, March 2 and April 2). The first step of the company’s pilot involved transmitting live Advanced Encryption Standard (AES)-encrypted card transactions from a merchant to Heartland’s processing platform. AES is the highest level of encryption and is on track to replace Data Encryption Standard (DES) and Triple DES as the desired standard for sensitive data, said Heartland (BusinessWire June 30). To his knowledge, this is the first time encrypted transactions have been sent from a merchant’s card reader to and through a major processor’s payments network, said Robert O. Carr, Heartland chairman/CEO. “[Monday’s] transactions involved a Texas-based merchant and multiple credit card, prepaid and signature debit card transactions testing each of the major card brands,” Carr said. “These cards were read by our newly developed pilot tamper-resistant security module (TRSM) terminal. The data was encrypted as the electronic digits left the magnetic stripe and entered the TRSM hardware device. The data was then successfully transmitted to and through our processing platform for authorization and settlement. “Typically, cardholder data is unencrypted as it leaves a merchant’s terminal and is not encrypted until it is either tokenized in a gateway or at rest in the processing platform’s data warehouse,” Carr continued. Cardholder data in transit is at risk of being compromised if cyber criminals or hackers use methods such as network or memory sniffer malware to get the data. “To protect data throughout the life cycle of a credit, debit or prepaid card transaction, Heartland is developing end-to-end encryption technology we call E3 that is designed to encrypt the transaction from the card read through our network and ultimately through transmission to the card brands,” he added. Credit unions are still reissuing members’ cards compromised in Heartland’s data breach. For example, Omaha (Neb.) Police FCU is replacing 1,167 of its members’ debit cards after being notified that the cards were among those compromised in the Heartland data breach (Omaha World-Herald June 30).